As I write this, sitting upstairs at Kiwicon, I am slightly nervously looking around seeing if there is anyone, wearing a black hat, huddled over a laptop hacking the bluetooth on my iPad keyboard.
Such were the warnings I had received about the kind of people that attend a security conference. Not just the shadowy intentions, but the technical skill it might require to somehow get into my computer through bluetooth, download all my information, clear out my bank account, fake my identity, and live a life of crime somewhere in South America. (I’m told it’s not actually that difficult.)
Such is the mainstream portrayal of hackers. Simon Pegg’s character Benji, in the Mission Impossible series, seems to be able to do virtually anything he wants, provided he has access to a fairly standard laptop. Never mind the 2007 film Live Free or Die Hard, where hackers basically plot Armageddon. They’re fought by erstwhile Apple poster boy Justin Long, and, of course, Bruce Willis. Along with some physics-defying set pieces, the movie also features the trope of Computer Guy In Basement (Kevin Smith, as Warlock – an excellent “hacker” name”, who naturally lives with his mother).
The 1995 movie, Hackers, features some excellent outfits and hair, but was considered at the time an unconvincing portrayal, possibly because the internet was still unfamiliar to many people. It’s now a cult classic.
Also in 1995 was The Net, the trailer for which intones “every trace of our existence is computerised. Everything about us is encoded somewhere… on a complex network of information.” That probably looked like a dystopian future, not how we’d be living less than 20 years later – as we’ll discuss later this week.
When I start chatting to people about this at the conference, a small crowd forms. It’s suggested I look at the series The Girl with the Dragon Tattoo, and the character of Lisbeth Salander. The assembled people, most of whom happily identify as hackers, say that at least what she is portrayed as doing is theoretically possible. And they have fond memories of Lex Murphy in Jurassic Park (1993) exclaiming “It’s a Unix system. I know this.”
Beloved of geeks, Lex Murphy Photo: Image from jurassic park, sourced here.
The problem, they say, is that much of what they actually do looks really boring. There’s a lot of staring at a computer screen and watching code scroll by. The “everything black” aesthetic is more likely to be because of the bands they like, and that crawling around under desks to connect cables is often dusty.
But if the Hollywood portrayal doesn’t offend them, the news media’s does. I was told to search the New Zealand Herald website and Stuff.co.nz for the images they use to portray hackers. Mostly it’s all black masks; artfully blurred, over-the-shoulder shots of people sitting at computers; and a surprising number of men in hoodies. (That last stereotype was proven true at Kiwicon itself, to be fair.)
One man tells me hackers are the kids that broke open every toy they were ever given to figure out how they worked. Barnaby Jack, one of New Zealand’s best known hackers, was one such kid. He could make ATMs spew cash and sparked safety improvements in medical devices. He died this year, aged 35.
Barnaby Jack Photo: Supplied
His sister, Amberleigh Jack, remembers Barnaby getting in trouble when he was a kid because he took apart his father’s computer and couldn't put it back together. She says the media coverage of his death was generally pretty good, but the general public's reaction to the coverage wasn’t. “A lot of people just didn't get it. It was like, ‘this guy can hack insulin pumps? Oh my god, he's awful.’ It's like, actually, no – he was saving your life.”
Amberleigh Jack says ‘Barns’ had a knack for showmanship. She says the whizzbang theatrics of his presentations – the ATMs, for example – were because he felt he had to do that to get people to pay attention. “…if people didn’t pay attention to it, then people wouldn't bother fixing the problem, because there was no need to, because people didn't know about it.”
She says Barnaby always told the manufacturer the problems before releasing them to the public, to give them a chance to fix it before he went public with the details. “He didn't have a malicious bone in his body,” she says. “I’ve met a lot of people in the industry because of hanging out with Barns, but I’m no tech person. Every person you meet, they’re genuine, good, awesome people who are doing good things. They’re not a bunch of malicious dark lords, running around trying to break stuff.”
Not wearing black. Or a hoodie. Photo: Unknown
But, of course, there are malicious hackers. One woman at Kiwicon tells me there are two kinds of hackers: white hats and black hats. The white hats are the good guys. The black hats are the ones people are scared of: shadowy, anonymous, malevolent. She says they’re in it for either financial gain, or political activism, or ego. And with them all goes a powerful combination of boredom and curiosity.
She likens the financial crime aspects of hacking to throwing a brick through a bank window. Often, organisations are paying a couple of technical people to develop a tool – the brick – to use. Another woman then points out that those tools are often dual purpose, and can be used for either good or evil.
Adam Lilley, a member of the Australian Federal Police’s CyberCrime Operations unit, shared his experience of Operation Damara, a seven-month investigation into the malicious activities of a hacker calling himself ‘Evil’. It resulted in a two-and-a-half-year prison sentence for one David Cecil, 25, of Sydney.
The investigation was progressed by Cecil boasting about his accomplishments online. Lilley notes that Cecil had become “consumed by the thrill his actions provided”, and had no real motive or strategy for identifying targets.
“When we talk about the motivations of a hacker, it’s often boredom,” says Lilley. “Boredom, and maliciousness, and a little bit of skill.” He notes that most criminals are motivated by financial reasons, and says it’s hard for police to defend against boredom.
The New Zealand Internet Task Force is currently working on guidelines for “responsible disclosure”, to help security researchers (what the white hat hackers are often called) and companies to work together.
Hackers fear disclosing their findings to companies because of the threat of legal action or negative publicity. Nick von Dadelszen and Ben Cree, who presented on behalf of the task force, told the Kiwicon audience that hackers have a 50 percent chance of being reported to the police, and the rest of the time they’ll have to spend a huge amount of time explaining why it is an issue.
...hackers have a 50 percent chance of being reported to the police, and the rest of the time they’ll have to spend a huge amount of time explaining why it is an issue.
The taskforce is asking for submissions on the guidelines, in an effort to “make it easier for security professionals to work together and help improve New Zealand’s cyber security posture.”
Technology and media commentator, Keith Ng, writing after he was caught up in news stories about hackers last year when he revealed a Work and Income kiosk security breach, pointed out that “if someone is telling you about their hacking, and the system in question hasn’t already been reduced to a steaming pile of goop, they’re probably not a ‘malicious’ hacker.”
AmmonRa, who revealed the security flaws in the Christchurch bus smart card system at the conference, was nervous about speaking to The Wireless. When we asked him, he first joked “Sure, providing I don’t get arrested before tomorrow.”
He says he notified the Canterbury Regional Council about the security issues with the website. The Council’s director of operations Wayne Holton-Jeffreys says the Council didn’t know. “He raised a different issue with us, he raised an issue with around the Metrocard, which is the technology we’ve had since 2003, and that he pointed out that he could access his card and add funds to it.”
Now, Stuff is reporting that the council has spoken to the police about the case.
Despite the reticence some hackers – or security researchers – feel talking about speaking to the media, everyone we spoke to at Kiwicon was friendly, approachable and happy to talk, even if it wasn’t on the record. A massive part of the issue seems to be that people just aren’t tech-literate enough to understand these issues, and that goes for journalists too. After all, I’m still confused over why a good 20 percent of the talks seemed to feature otters.
